Organized Crime Behind Virus Affecting Ohio Schools, FBI Says

The Trickbot computer virus that forced the Coventry Local Schools to shut down and compromised district systems was after banking information, an FBI agent told the superintendent.

by Alan Ashworth, Akron Beacon Journal
/
May 21, 2019

Shutterstock

(TNS) — A cyberattack that closed Coventry Local Schools on Monday and compromised the district's computer system has drawn the attention of the FBI, Superintendent Lisa Blough said.

Blough said in a phone interview that the FBI reached out to the district on Monday. She spoke with an agent who gave her details on the TrickBot malware infecting the district's computer system.

"He shared with me that the goal of the virus is to get banking information or money from those that are attacked," Blough said. "One of the first computers infected was in the treasurer's office."

A couple of employees believe their Amazon accounts were infiltrated, Blough said.

Initially, officials in the 2,000-student district were unsure of a connection, but it now seems likely.

"As we have been going throughout the day we're seeing definitely that this virus has reached this level of penetration," Blough said.

Blough said IT personnel became aware of the problem late last week and have been working since then to counter the attack. FBI experts now on location are expected to help evaluate the extent of the infiltration.

"We actually became aware of the extensive damage that was being done late Friday afternoon," Blough said. "Our first steps were to try to assess how much damage was being done."

The staff also moved to disconnect all devices connected to the Internet. They worked through the weekend.

Blough said IT personnel noticed unusual activity, but antiviral software being used didn't track it.

"When they were scanning the machines," Blough said, "they were showing no threats."

NEOnet, an information technology center used by most school districts in Summit County, also alerted the school system.

"Once they saw the number of machines being impacted, they quarantined [us] from the network," Blough said.

The superintendent said the virus affected several operations, including the phone and HVAC systems.

"Our [HVAC] system was on the network," she said. "It shut down our heating and cooling system."

Blough didn't have an early estimate of the financial impact of the attack, but said the costs would be significant.

In addition to any devices that will have to be replaced, some employees will need to work summer hours.

"I do know that we are going to be looking at having [some] staff work in the summer," Blough said.

Blough said the district at no time suspected a student in the cyberattack despite its occurrence before the last school day for seniors. The FBI, too, suspects something more sinister.

"[The FBI] said organized crime is behind this virus," Blough said.

The TrickBot malware affecting Coventry is described by cybersecurity professionals as a banking Trojan that targets Window-based systems and steals data and credentials.

According to F-Secure, a cybersecurity website, the operators behind TrickBot distribute it as a file attached to spam email messages. It often infects Microsoft Excel and runs tasks to acquire credentials and account information.

Blough said she's aware of other local school districts that have experienced cyberattacks, but not at this level.

In January, a cyberattack took the city of Akron's 311 system offline and caused havoc with its email system. An Ohio National Guard unit that specializes in cybercrime was sent to help thwart the attack and the FBI opened an investigation. The city has not released results from the investigation or issued updates on its progress.

Blough advised students to update and improve passwords and to use care with emails.

"You can never be too careful," she said. "Always err on the side caution."